[Opendnssec-user] Generating public/private key

Aki Tuomi cmouse at cmouse.fi
Tue Apr 15 19:05:46 UTC 2014


On Tue, Apr 15, 2014 at 09:18:20PM +0300, Aki Tuomi wrote:
> On Tue, Apr 15, 2014 at 08:04:27PM +0200, Rickard Bellgrim wrote:
> > On Tue, Apr 15, 2014 at 7:11 PM, Aki Tuomi <cmouse at cmouse.fi> wrote:
> > 
> > > Also. I tested that the database ends up in VERY different state when one
> > > performs
> > >
> > > --export
> > > --init-token
> > > --import
> > >
> > > than it does with C_GenerateKeyPair()
> > >
> > > Is there something else one needs to do after C_GenerateKeyPair that I am
> > > not currently doing?
> > 
> > 
> > The import command uses another template than what you have in your code.
> > See the code here:
> > https://github.com/opendnssec/SoftHSMv1/blob/develop/src/bin/softhsm.cpp#L686
> > 
> > E.g. CKA_TOKEN is set to true (if not present, SoftHSM will set it to
> > false), thus keeping the public key object. The export/import commands are
> > only handling the key material. They are simple commands and you, as a
> > user, can only set the label and the id.
> > 
> > Please read more in the PKCS#11 document (
> > ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf) for more
> > details on attributes, default values, and how objects are handled using
> > C_CreateObject / C_GenerateKeyPair.
> > 
> > // Rickard
> 
> Thank you very much, this is very helpful! 
> 
> Aki 

The problem was rectified when I added following attributes to public template

CKA_TOKEN, TRUE
CKA_CLASS, CKO_PUBLIC_KEY
CKA_KEY_TYPE, CKK_RSS

And these to private template
CKA_CLASS, CKO_PRIVATE_KEY
CKA_KEY_TYPE, CKK_RSS

Thank you again for your help.

> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140415/32560990/attachment.bin>


More information about the Opendnssec-user mailing list